section
  h3(id='csrf') csrf()

  p.
    CSRF protection middleware.
  
  p.
    By default this middleware generates a token named "_csrf"
    which should be added to requests which mutate
    state, within a hidden form field, query-string etc. This
    token is validated against the visitor's <code>req.session._csrf</code>
    property.
  
  p.
    The default <code>value</code> function checks <code>req.body</code> generated
    by the <code>bodyParser()</code> middleware, <code>req.query</code> generated
    by <code>query()</code>, and the "X-CSRF-Token" header field.

  p.
    This middleware requires session support, thus should be added
    somewhere below <code>session()</code>.